What is the point of a red team?
It’s pretty common for people to ask us for a red team engagement to understand if their organization can be breached.
Well, every organization can be breached—you don’t need an expensive red team to prove that.
Okay, point taken, the client might say. What we actually want to know is how an attacker might breach us.
Excellent. You still don’t need a red team. A red team will always take the path of least resistance and will stop the engagement when they reach a predefined point. You won’t get all the information you need from a red team; a purple team might be better.
At this point, there’s often a bit of a confusion. After all, we’re a cyber security company; shouldn’t we want to sell you a red team? Actually, no: we don’t want our clients to waste their money. We want to have an honest discussion and only sell you services that will help solve your problems.
Here are some of the things we look for when we are considering selling a red team service.
Four key reasons to get a red team
You want a stress test
If you want to find out if you are fit, play a game of squash with an experienced player. It’s not about winning: it’s about trying to keep up with the pace.
If you feel like your blue team is ready, you might want to use a red team as a general stress test. If you know your blue team isn’t match fit yet, proceed with caution.
The red team isn’t the first test you’ve done
We usually recommend that you pen test individual systems and the corporate network before considering a red team. You should also have a solid strategy around detection and response, including tooling that is already in use, in place.
You have a decent threat model
You should know what your highest-value assets are and have a record of likely threats you might encounter, accounting for the type of organization and the industry you operate in.
You have budget
You need to have a reasonable budget for a red team, not only because a thorough engagement takes up a lot of consultant time (often 60+ consultant days), but because if you are stretching your budgets to breaking point to pay for a red team, there are probably more valuable things you could buy for the same money. For example, a smaller organization looking to spend money on cyber security may be better served by purchasing a year’s worth of managed detection and response if they don’t already use it.
Other good reasons for wanting a red team
Convincing others that you are ready for an engagement, or that you need more investment in security
Experienced regulators and CISOs know that red teams will always breach the organization’s defenses. To assess the strength of a blue team, they look for good detection rates.
A red team engagement is an unequivocal test of a blue team’s capability, much more indisputable than a purple team, for example, and so they can be useful for proving to various stakeholders that the organization is ‘match ready’.
Alternatively, you could take the riskier move of using a red team to demonstrate that the organization is not secure, hoping that this might result in increased investment in security services and resources. The people to be convinced aren’t necessarily sitting around the board room table—they might be internal development teams or a group of particularly confident Cloud architects who think they’ve built something really robust.
Overcoming stage fright
Imagine you're a new SOC analyst, sitting in a room with screens everywhere, surrounded by people. Suddenly you get an alert: the organization is under attack.
SOC analysists in this position can get very real stage fright. They have trained for three years or so, and suddenly an attack is underway and it’s their job to stop it. They could lose their job if they get it wrong. Everyone else in the room is panicking as their systems crash.
Red teaming is a way to let these SOC analysts rehearse. Practicing their response in a setting that feels real, but that is actually controlled behind the scenes, is somewhat like training firefighters in real burning buildings.
When the real fire starts, your analysts are less likely to freeze.
Everyone wants a red team, but very few organizations need one. Some members of our Sales team at WithSecure have estimated that more than half of the red-team enquiries they get eventually turn into discussions about other, more effective (and less costly) engagements for the customer once the client had explained their needs.
This is because red teams, although valuable in some contexts, are not right for everyone. Remember, the real benefits of a red team are not about learning whether and how an attacker could breach your organization; red teaming is about assessing and improving defense, detection and response capabilities, and educating the blue team so that they can operate more effectively in the future.